Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows®. Arsenal Image Mounter includes a virtual SCSI adapter (via a unique Storport miniport driver) which allows users to benefit from disk-specific features in Windows like integration with Disk Manager, access to Volume Shadow Copies, and more. As far as Windows is concerned, the contents of disk images mounted by Arsenal Image Mounter are "real" SCSI disks.
For developers, Arsenal Image Mounter source code and APIs are available for royalty-free use by open source projects. Commercial projects (and other projects not licensed under an AGPL v3 compatible license) that would like to use Arsenal Image Mounter source code and/or APIs must contact us to obtain alternative licensing.
For end users, Arsenal Image Mounter's full functionality (along with all our other tools) is available as part of an affordable monthly subscription - currently, $49 per month per license. If Arsenal Image Mounter is licensed, it runs in "Professional Mode", which includes mounting VSCs. If Arsenal Image Mounter is run without a license, it will run in "Free Mode" and provide core functionality.
Arsenal began developing disk image mounting technology after finding existing solutions lacking during the development of Registry Recon. The first version of Arsenal Image Mounter was geared towards developers and formally launched in early 2014. Over time it became clear that end-users, both in the digital forensics and larger information technology communities, had a tremendous interest in Arsenal Image Mounter. In mid-2015 Arsenal refocused Arsenal Image Mounter on end-users, with an emphasis on an easy-to-use and attractive graphical user interface. In mid-2017 Arsenal introduced a Professional Mode (available as part of a monthly subscription to all Arsenal tools) to begin addressing feature requests outside of Arsenal Image Mounter's core functionality.
- Mounts raw, forensic, and virtual machine disk images
- Temporary write support
- "Fake" disk signatures
- Removable disk emulation
- Volume Shadow Copy (VSC) mounting in Professional Mode
Supported Operating Systems
- Windows 10
- Windows 8 (and 8.1)
- Windows 7
- Windows Vista
- Windows Server 2012 (and R2)
- Windows Server 2011
- Windows Server 2010
- Windows Server 2008 (and R2)
- Windows Server 2003 (with KB932755)
Supported File Systems
- Any filesystem with a driver installed is supported
- NTFS, FAT32, ReFS, exFAT, HFS+, UFS, and EXT3 have all been tested
Supported Image Formats
- Raw (dd)
- EnCase (E01 and Ex01 if libewf is available)
- Virtual Machine Disk Files (VHD, VDI, XVA, VMDK… if discutils is available)
Why is Arsenal Image Mounter different than other disk image mounting solutions?
Many disk image mounting solutions mount the contents of images in Windows as shares or partitions (rather than complete disks), which limits their usefulness. Arsenal Image Mounter is the first and only open source solution for mounting the contents of disk images as complete disks in Windows. We have also developed functionality (see “Interesting Functionality” above) that is particularly useful to the digital forensics and incident response community.
Why are some files and folders inaccessible to me after mounting a disk image with Arsenal Image Mounter?
Arsenal Image Mounter passes the contents of disk images to Windows as if they were complete disks. Once Arsenal Image Mounter has passed the contents of disk images to Windows, the file system drivers you currently have installed take over. Arsenal Image Mounter does not do anything magic after passing the contents of disk images off to Windows. If you want to access protected files and folders after mounting the contents of disk images with Arsenal Image Mounter, you will need to use other tools designed to do so.
Is there a command line interface (CLI) version of Arsenal Image Mounter?
Yes - Arsenal Image Mounter CLI is a .NET 4.0 tool that provides most of Arsenal Image Mounter’s functionality. The command “AIM_CLI /?” displays basic syntax for using Arsenal Image Mounter CLI. We have also released Arsenal Image Mounter Low Level which does not use .NET and provides more “low level” access to the Arsenal Image Mounter driver. The command “AIM_LL /?” displays basic syntax for using Arsenal Image Mounter Low Level. You can find Arsenal Image Mounter CLI and Low Level on our GitHub page here.
How can I or my organization contribute to Arsenal Image Mounter?
If Arsenal Image Mounter has become a valuable part of your toolkit, please tell us about how you use it and any suggestions you may have. If your organization uses Arsenal Image Mounter in commercial ventures (consulting, training, etc.) we would greatly appreciate financial support which helps us offset the cost of development. If you or your organization have used Arsenal Image Mounter source code and/or APIs, please make sure you are complying with our licensing requirements.
What does “Fake disk signature” from the “Mount options” screen do?
All-zero disk signatures in Master Boot Records (“MBRs”) are sometimes found in virtual machine environments and can prevent their disks from being mounted properly in Windows. If Arsenal Image Mounter’s read-only mounting is enabled and an otherwise valid MBR exists within a disk image, the “Fake disk signature” function will report a random disk signature to Windows if an all-zero disk signature is found.
What does “Create “removable” disk device” from the “Mount options” screen do?
This function essentially emulates the attachment of a USB thumb drive. We have heard that it facilitates the mounting of images containing partitions rather than disks, even though Arsenal Image Mounter was designed to mount disks specifically. Characteristics (and limitations) of using this function include:
• Windows will only identify and use the first partition on the image, even if the image contains more than one partition
• SAN policies such as requiring new devices to be mounted offline do not apply
• Drive letters are always assigned even if automatic drive letter assignment is turned off
• Windows identifies and uses file systems even for single-volume images that have no partition table
• Inability to interact with Volume Shadow Copies natively
How can I resolve issues mounting EnCase images?
Arsenal Image Mounter is distributed with x64 libewf DLLs that allow the vast majority of our users to mount EnCase images. If you need x86 or experimental (with EnCase Ex01 support) libewf DLLs, you can get them from our GitHub page here. The libewf DLLs should be placed in the same folder as the Arsenal Image Mounter executable.
Do I need an Internet connection for Arsenal Image Mounter licensing?
You only need an Internet connection for Arsenal Image Mounter when you initially enter your license code and when you renew your license. If you cannot connect to the Internet, see the air-gapped workstation instructions below.
How can I license Arsenal Image Mounter on an air-gapped (a/k/a offline) workstation?
If you want your air-gapped workstation properly licensed for Arsenal Image Mounter, please:
- Open Arsenal Image Mounter and enter the license code you were given
- Upon realizing that no Internet connection is available, Arsenal Image Mounter will save a ".LIC" file to your ProgramData\ArsenalRecon folder
- On a workstation with Internet access, go to our Offline Activation page and upload the ".LIC" file.
- Finally, copy the CDM file you receive to your ProgramData\ArsenalRecon folder
Your air-gapped workstation is now ready to run Arsenal Image Mounter!
Can I use Arsenal Image Mounter to mount Volume Shadow Copies (VSCs) in Windows natively?
Yes, you can license Arsenal Image Mounter and use the "Professional Mode" VSC mounting functionality, or you can leverage AIM's basic functionality along with other tools as described on David Cowen's blog here.
Can I use Arsenal Image Mounter to decrypt full-disk and volume encryption within disk images?
Yes, Arsenal Image Mounter is used frequently for this purpose. You can read more about the general process on David Cowen's blog here. You can read more about the specific process involved with decrypting Apple FileVault encrypted volumes on Yogesh Khatri's blog here.
Are you having trouble booting decrypted BitLocker volumes?
See Adam Bridge's excellent blog post on modifying an NTFS volume's Volume Boot Record (VBR) using Arsenal Image Mounter's "Write temporary" mode here.
Is there an Application Programming Interface (API)?
Yes - Arsenal Image Mounter provides both .NET and non-.NET APIs. You can find these APIs on our GitHub page here.
What programming languages have been used to build Arsenal Image Mounter?
Arsenal Image Mounter's Storport miniport driver is written in C and its user mode API library is written in VB.NET, which facilitates easy integration with .NET 4.0 applications.
Use and License
We chose a dual-license for Arsenal Image Mounter (more specifically, Arsenal Image Mounter’s source code and APIs) to allow its royalty-free use by open source projects, but require financial support from commercial projects.
Arsenal Consulting, Inc. (d/b/a Arsenal Recon) retains the copyright to Arsenal Image Mounter, including the Arsenal Image Mounter source code and APIs, being made available under terms of the Affero General Public License v3. Arsenal Image Mounter source code and APIs may be used in projects that are licensed so as to be compatible with AGPL v3. If your project is not licensed under an AGPL v3 compatible license and you would like to use Arsenal Image Mounter source code and/or APIs, contact us to obtain alternative licensing.
Contributors to Arsenal Image Mounter must sign the Arsenal Contributor Agreement ("ACA"). The ACA gives Arsenal and the contributor joint copyright interests in the source code.